You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/08/21 04:21:00 UTC
[jira] [Commented] (IMPALA-8869) Fix handling of HTTP keep-alive
when returning 401
[ https://issues.apache.org/jira/browse/IMPALA-8869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16911938#comment-16911938 ]
ASF subversion and git services commented on IMPALA-8869:
---------------------------------------------------------
Commit 4b5ea534d25b7d18d6ecb71d90c18efda99c1b29 in impala's branch refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=4b5ea53 ]
IMPALA-8869: Fix handling of HTTP keep-alive when returning 401
Recent work has added support for HTTP authentication both for the
thrift hs2 interface and for the webserver. In both cases, we
mishandle HTTP keep-alive semantics when returning a 401 because we
close the connection but don't return a 'Connection: close' header,
even though we're using HTTP/1.1 where keep-alive is assumed, which
can cause clients to incorrectly believe that the connection has
remained open.
For the webserver, the fix is to enable keep-alive in squeasel so
that the connection isn't closed after the 401 is returned.
For the thrift hs2 interface, we throw an exception after the 401
which results in the connection being closed because otherwise it's
tricky with the way thrift is structured to ensure that the
unauthorized request isn't processed. So, the fix here is to return a
'Connection: close' header.
Testing:
- Ran existing HTTP auth tests.
- Manually tested in a cluster with connections to Impala proxied
through Apache Knox.
Change-Id: I3d5f80dbcde5b623a1d0586b5d763a062dd21afa
Reviewed-on: http://gerrit.cloudera.org:8080/14076
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Reviewed-by: Thomas Tauber-Marshall <tm...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
> Fix handling of HTTP keep-alive when returning 401
> --------------------------------------------------
>
> Key: IMPALA-8869
> URL: https://issues.apache.org/jira/browse/IMPALA-8869
> Project: IMPALA
> Issue Type: Bug
> Components: Clients
> Affects Versions: Impala 3.3.0
> Reporter: Thomas Tauber-Marshall
> Assignee: Thomas Tauber-Marshall
> Priority: Blocker
>
> Recent work has added support for HTTP authentication both for the thrift hs2 interface and for the webserver. In both cases, we mishandle HTTP keep-alive semantics when returning a 401 to indicate an unauthorized request because we close the connection but don't return a "Connection: closed" header, which can cause clients to incorrectly believe that the connection has remained open.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org